Merge https://github.com/cisagov/skeleton-packer into lineage/skeleton

# Conflicts:
#	.github/workflows/build.yml
#	.github/workflows/prerelease.yml
#	.github/workflows/release.yml
#	src/packer.pkr.hcl
#	src/version.txt
#	terraform-post-packer/main.tf

.github/workflows/build.yml

@@ -238,6 +238,12 @@ jobs:
       - lint
       - test
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -315,8 +321,13 @@ jobs:
         # This runs through the AMI creation process but does not
         # actually create an AMI
         run: |
+<<<<<<< HEAD
           packer build -timestamp-ui \
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
+=======
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
+>>>>>>> d44181d2b276aa78c43b8b8a038b6c7a2d1fa52c
             -var skip_create_ami=true \
             src/packer.pkr.hcl
       - name: Remove /usr/bin/python3 symlink to the installed Python

.github/workflows/prerelease.yml

@@ -33,6 +33,12 @@ jobs:
     needs:
       - diagnostics
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -108,8 +114,13 @@ jobs:
         run: packer init src
       - name: Create machine image
         run: |
+<<<<<<< HEAD
           packer build -timestamp-ui \
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_STAGING }} \
+=======
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
+>>>>>>> d44181d2b276aa78c43b8b8a038b6c7a2d1fa52c
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \
             -var release_url=${{ github.event.release.html_url }} \

.github/workflows/release.yml

@@ -40,6 +40,12 @@ jobs:
     needs:
       - diagnostics
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - arm64
+          - x86_64
     steps:
       - id: harden-runner
         name: Harden the runner
@@ -123,8 +129,13 @@ jobs:
         run: packer init src
       - name: Create machine image
         run: |
+<<<<<<< HEAD
           packer build -timestamp-ui \
             -var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
+=======
+          packer build -only amazon-ebs.${{ matrix.architecture }} \
+            -timestamp-ui \
+>>>>>>> d44181d2b276aa78c43b8b8a038b6c7a2d1fa52c
             -var is_prerelease=${{ github.event.release.prerelease }} \
             -var release_tag=${{ github.event.release.tag_name }} \
             -var release_url=${{ github.event.release.html_url }} \

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint
         args:
@@ -46,7 +46,7 @@ repos:
         # mirror does not pull tags for old major versions once a new major
         # version tag is published.
         additional_dependencies:
-          - prettier@3.2.5
+          - prettier@3.3.1
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.35.1
     hooks:
@@ -56,14 +56,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.0
+    rev: 0.28.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.6.2
+    rev: v3.7.1
     hooks:
       - id: validate_manifest
 
@@ -98,7 +98,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.7.0-4
+    rev: v3.8.0-1
     hooks:
       - id: shfmt
         args:
@@ -116,14 +116,14 @@ repos:
           # Redirect operators are followed by a space
           - --space-redirects
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.9.0.6
+    rev: v0.10.0.1
     hooks:
       - id: shellcheck
 
   # Python hooks
   # Run bandit on the "tests" tree with a configuration
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.7
+    rev: 1.7.8
     hooks:
       - id: bandit
         name: bandit (tests tree)
@@ -138,7 +138,7 @@ repos:
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.2.0
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -152,24 +152,42 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.10.0
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.1
+    rev: v3.15.2
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.2.0
+    rev: v24.6.0
     hooks:
       - id: ansible-lint
-      # files: molecule/default/playbook.yml
+        additional_dependencies:
+          # On its own ansible-lint does not pull in ansible, only
+          # ansible-core.  Therefore, if an Ansible module lives in
+          # ansible instead of ansible-core, the linter will complain
+          # that the module is unknown.  In these cases it is
+          # necessary to add the ansible package itself as an
+          # additional dependency, with the same pinning as is done in
+          # requirements-test.txt of cisagov/skeleton-ansible-role.
+          # - ansible>=9,<10
+          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
+          # discussed in ansible/ansible#82702, which breaks any
+          # symlinked files in vars, tasks, etc. for any Ansible role
+          # installed via ansible-galaxy.  Hence we never want to
+          # install those versions.
+          #
+          # Note that any changes made to this dependency must also be
+          # made in requirements.txt in cisagov/skeleton-packer and
+          # requirements-test.txt in cisagov/skeleton-ansible-role.
+          - ansible-core>=2.16.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.90.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

requirements.txt

@@ -13,19 +13,15 @@
 # often breaking changes across major versions.  This is the reason
 # for the upper bound.
 ansible>=8,<10
-# TODO: Remove this pin when possible.  See
-# cisagov/skeleton-packer#312 for more details.
-#
-# ansible-core 2.16.3 and later suffer from the bug discussed in
+# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in
 # ansible/ansible#82702, which breaks any symlinked files in vars,
 # tasks, etc. for any Ansible role installed via ansible-galaxy.
+# Hence we never want to install those versions.
 #
-# See also cisagov/skeleton-ansible-role#178 and
-# cisagov/skeleton-generic#180.  Note from these PRs that any changes
-# made to this dependency must also be made in requirements-test.txt
-# in cisagov/skeleton-ansible-role and .pre-commit-config.yaml in
-# cisagov/skeleton-generic.
-ansible-core<2.16.3
+# Note that any changes made to this dependency must also be made in
+# requirements-test.txt in cisagov/skeleton-ansible-role and
+# .pre-commit-config.yaml in cisagov/skeleton-generic.
+ansible-core>=2.16.7
 boto3
 docopt
 semver

src/packer.pkr.hcl

@@ -73,8 +73,21 @@ variable "skip_create_ami" {
   type        = bool
 }
 
-data "amazon-ami" "debian_bookworm" {
+data "amazon-ami" "debian_bookworm_arm64" {
   filters = {
+    architecture        = "arm64"
+    name                = "debian-12-arm64-*"
+    root-device-type    = "ebs"
+    virtualization-type = "hvm"
+  }
+  most_recent = true
+  owners      = ["136693071363"]
+  region      = var.build_region
+}
+
+data "amazon-ami" "debian_bookworm_x86_64" {
+  filters = {
+    architecture        = "x86_64"
     name                = "debian-12-amd64-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
@@ -86,8 +99,57 @@ data "amazon-ami" "debian_bookworm" {
 
 locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
 
+<<<<<<< HEAD
 source "amazon-ebs" "nessus" {
   ami_name                    = "nessus-hvm-${local.timestamp}-x86_64-ebs"
+=======
+source "amazon-ebs" "arm64" {
+  ami_name                    = "example-hvm-${local.timestamp}-arm64-ebs"
+  ami_regions                 = var.ami_regions
+  associate_public_ip_address = true
+  encrypt_boot                = true
+  instance_type               = "t4g.small"
+  kms_key_id                  = var.build_region_kms
+  launch_block_device_mappings {
+    delete_on_termination = true
+    device_name           = "/dev/xvda"
+    encrypted             = true
+    volume_size           = 8
+    volume_type           = "gp3"
+  }
+  region             = var.build_region
+  region_kms_key_ids = var.region_kms_keys
+  skip_create_ami    = var.skip_create_ami
+  source_ami         = data.amazon-ami.debian_bookworm_arm64.id
+  ssh_username       = "admin"
+  subnet_filter {
+    filters = {
+      "tag:Name" = "AMI Build"
+    }
+  }
+  tags = {
+    Application        = "Example"
+    Architecture       = "arm64"
+    Base_AMI_Name      = data.amazon-ami.debian_bookworm_arm64.name
+    GitHub_Release_URL = var.release_url
+    OS_Version         = "Debian Bookworm"
+    Pre_Release        = var.is_prerelease
+    Release            = var.release_tag
+    Team               = "VM Fusion - Development"
+  }
+  # Many Linux distributions are now disallowing the use of RSA keys,
+  # so it makes sense to use an ED25519 key instead.
+  temporary_key_pair_type = "ed25519"
+  vpc_filter {
+    filters = {
+      "tag:Name" = "AMI Build"
+    }
+  }
+}
+
+source "amazon-ebs" "x86_64" {
+  ami_name                    = "example-hvm-${local.timestamp}-x86_64-ebs"
+>>>>>>> d44181d2b276aa78c43b8b8a038b6c7a2d1fa52c
   ami_regions                 = var.ami_regions
   associate_public_ip_address = true
   encrypt_boot                = true
@@ -103,16 +165,22 @@ source "amazon-ebs" "nessus" {
   region             = var.build_region
   region_kms_key_ids = var.region_kms_keys
   skip_create_ami    = var.skip_create_ami
-  source_ami         = data.amazon-ami.debian_bookworm.id
+  source_ami         = data.amazon-ami.debian_bookworm_x86_64.id
   ssh_username       = "admin"
   subnet_filter {
     filters = {
       "tag:Name" = "AMI Build"
     }
   }
   tags = {
+<<<<<<< HEAD
     Application        = "Nessus"
     Base_AMI_Name      = data.amazon-ami.debian_bookworm.name
+=======
+    Application        = "Example"
+    Architecture       = "x86_64"
+    Base_AMI_Name      = data.amazon-ami.debian_bookworm_x86_64.name
+>>>>>>> d44181d2b276aa78c43b8b8a038b6c7a2d1fa52c
     GitHub_Release_URL = var.release_url
     OS_Version         = "Debian Bookworm"
     Pre_Release        = var.is_prerelease
@@ -130,7 +198,14 @@ source "amazon-ebs" "nessus" {
 }
 
 build {
+<<<<<<< HEAD
   sources = ["source.amazon-ebs.nessus"]
+=======
+  sources = [
+    "source.amazon-ebs.arm64",
+    "source.amazon-ebs.x86_64",
+  ]
+>>>>>>> d44181d2b276aa78c43b8b8a038b6c7a2d1fa52c
 
   provisioner "ansible" {
     playbook_file = "src/upgrade.yml"

src/version.txt

@@ -1 +1,5 @@
+<<<<<<< HEAD
 __version__ = "0.2.1"
+=======
+__version__ = "2.0.0"
+>>>>>>> d44181d2b276aa78c43b8b8a038b6c7a2d1fa52c